Operational Resilience Audit

Posts about:

Operational Resilience (7)

Table of Content for Operational Resilience Audit and Review [Cross Reference to MAS BCM Guidelines]

Table of Content for Operational Resilience Audit and Review [Cross Reference to MAS BCM Guidelines]

 

New call-to-action

Operational Resilience Audit Questionnaires and Checklist

Operational Resilience Planning Methodology
New call-to-action

Operational Resilience Planning Methodology.  The three phases are "Plan", "Implement", and "Sustain."  Each phase has five stages.  

Click each of the five stages within each phase to find out more about the detailed questions to be asked and the checklist supports it.  Note that there is overlap for some of the stages in terms of content. 

New call-to-actionThe rationale is that you, as a reviewer or auditor, will not be conducting the audit of review for all three phases together, and hence, the key controls are still needed to be embedded in several stages.

Click the icon on the right to access MAS BCM Guidelines.

 

New call-to-action

Questionnaires and Checklist "Plan" Phase

Assess Capability and Maturity Analyse Gap

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance

New call-to-action New call-to-action OR Plan Phase Questionnaires: Analyse Gap New call-to-action New call-to-action New call-to-action
New call-to-action  

5. Concentration Risk

New call-to-action

    7. Responsibilities of Board and Senior Management
 

 

New call-to-action

Questionnaires and Checklist "Implement" Phase

Identify Critical Business Services Map Processes and Resources

Set Impact Tolerance

Conduct Scenario Testing

Improve Lesson Learnt

New call-to-action OR Implement Phase Questionnaires: Identify Critical Business Services New call-to-action OR Implement Phase Questionnaires: Set Impact Tolerance Conduct Scenario Testing New call-to-action
New call-to-action 2 Critical Business Services and Functions 4. Dependency Mapping 3. Service Recovery Time Objectives 7. Testing 6. Continous Review and Improvement

 

New call-to-action

Questionnaires and Checklist "Sustain" Phase

Introduce Cultural Change Develop Communication Strategy

Implement Training and Awareness

Provide Self-assessment

Conduct Independent Quality Review

New call-to-action New call-to-action OR Sustain Phase Questionnaires: Develop  Communication Strategy OR [Sustain] Questionnaires:  Implement Training and Awareness OR Sustain Phase Questionnaires: Provide Self-assessments OR Sustain Phase Questionnaires: Conduct Independent Quality Reviews
New call-to-action 7. Responsibilities of Board and Senior Management

9. Incident and Crisis Management (Communication with staff and Stakeholders)

New call-to-action

    8. Audit

 

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action TMM [BL-A-5] Register [BL-A-5]
FAQ for BL-A-3

Please feel free to send us a note if you have any of these questions.

Email to Sales Team [BCM Institute]

New call-to-action
Read More
Summary of Guidelines on Business Continuity Management issued by the Monetary Authority of Singapore

Summary of Guidelines on Business Continuity Management Guidelines issued by the Monetary Authority of Singapore

Key Focus Areas for Guidelines on Business Continuity Management by the Monetary Authority of Singapore

The Monetary Authority of Singapore (MAS) has issued comprehensive guidelines on Business Continuity Management (BCM) to assist financial institutions (FIs) in Singapore in effectively managing potential disruptions and ensuring the continuity of critical business services. 

Objective

BCM RR MAS Regulatory Requirement Monetary Authority of SingaporeThis blog aims to provide an overview of the critical aspects of the MAS Guidelines on BCM, with a specific focus on the ten areas mentioned in the guidelines.  Refer to the guideline by clicking on the MAS's webpage.

The article is also part of the pre-reading for participants attending the operational resilience implementer or expert implementer course to understand the relationship between the MAS's Business Continuity Management guidelines and Operational Resilience guidelines issued by other regulatory jurisdictions.

Application of MAS Guidelines

The first section of the MAS Guidelines on BCM emphasised that they apply to all financial institutions MAS regulates in Singapore, including banks, insurers, and capital market intermediaries.

The guidelines ensure financial institutions have robust and effective BCM frameworks to identify potential risks, implement appropriate risk mitigation measures, and establish resilient business continuity plans.

OR Operational Resilience Regulatory RequirementCompliance with these guidelines is mandatory, and institutions are expected to maintain a state of readiness to respond to and recover from disruptions.

OR Versus BCM Full wordNotes on OR Vs BCM: These are the related regulatory requirements or guidelines (Click the "Regulatory Requirement" icon on the right) issued by the other central banks worldwide. These regulations will be under your purview if you have global or regional responsibilities. 

Critical Business Services and Functions

OR Critical Business Services BCMPediaFinancial institutions must identify and prioritise their critical business services (CBS) and critical business functions (CBF), essential for maintaining financial stability and providing uninterrupted services to customers.

Please note that CBS and CBF differ. Click the button below to find out more.

The guidelines provide a framework for identifying these critical services, assessing their impact on the institution and its customers, and establishing appropriate recovery strategies.

Financial institutions must maintain a comprehensive inventory of critical business services and functions and ensure recovery plans are in place to minimise disruption and ensure timely recovery.

OR Versus BCM Full wordNotes on OR vs. BCM: These are similar terms used by regulators from other jurisdictions. It is also helpful to understand that MAS issues Critical Business Services, while Critical Operations is from the US FED and Hong Kong Monetary Authority. Below are some of the similar definitions published by the other regulators. 

OR Critical Operations

New call-to-action OR Critical Business Services BCMPedia Critical Business Functions vs Critical Business Services

Service Recovery Time Objective (SRTO)


OR Service Recovery Time Objective BCMPedia The Service Recovery Time Objective (SRTO) refers to the timeframe within which critical business services and functions should be recovered following a disruption.

The MAS Guidelines on BCM emphasise the importance of setting realistic and achievable recovery time objectives to minimise the impact of disruptions.

Financial institutions must define RTOs for their critical services and functions based on their business impact analysis.

The RTOs should be regularly reviewed and tested to ensure their effectiveness.

OR Versus BCM Full word

 

Notes on OR vs. BCM: These are similar terms used by regulators from other jurisdictions. It is also helpful to understand the difference between the SRTO issued by MAS and the actual RTO from the BCM practices with the Impact Tolerance spelt out by the other regulators. Below are some of the similar definitions. OR Impact Tolerance vs Recovery Time Objective

Dependency Mapping

OR Mapping Interconnections and Interdependencies BCMPediaDependency mapping is a crucial aspect of BCM that involves identifying and understanding the interdependencies between various systems, processes, and external parties.

Financial institutions must conduct dependency mapping exercises to identify critical dependencies, including technology systems, infrastructure, third-party service providers, and key personnel.

The guidelines emphasise the need for financial institutions to establish contingency plans to mitigate potential risks associated with these dependencies and ensure alternative arrangements are in place.

Concentration Risk

Concentration risk refers to the exposure an organisation faces due to a significant reliance on a single point of failure.

The MAS Guidelines on BCM stress the critical component of business continuity planning: identifying and mitigating concentration risk.

Financial institutions must thoroughly assess their operations, processes, systems, and third-party dependencies to identify risk concentrations.

By diversifying critical services and functions, financial institutions can reduce their vulnerability to disruptions caused by a single event or failure.

The guidelines recommend implementing appropriate risk mitigation strategies, such as redundancy, alternate sites, and contingency plans, to address concentration risk effectively.

Continuous Review and Improvement

The MAS Guidelines on BCM emphasise the need for financial institutions to adopt a proactive approach by continuously reviewing and improving their BCM frameworks.

BCM is not a one-time exercise but a dynamic process that should evolve alongside changes in the business environment and emerging risks.

Financial institutions are encouraged to establish robust governance mechanisms to monitor the effectiveness of their BCM frameworks and ensure regular updates.

The guidelines also highlight the importance of feedback loops, incident reporting, and lessons-learned exercises to identify areas for improvement and drive continuous enhancements in BCM capabilities.

OR Versus BCM Full wordOR Lesson Learnt BCMPediaNotes on OR Vs BCM: The word "continuous improvement" is published as part of the standard in most published regulations. The key is to learn from lessons from past incidents and deficiencies identified during testing and exercise.

Testing

Testing is a critical aspect of BCM and plays a vital role in validating the effectiveness of business continuity plans.

The MAS Guidelines on BCM emphasise the importance of regular testing to ensure that plans are practical, executable, and aligned with recovery time objectives.

Financial institutions must conduct comprehensive and realistic testing exercises, including tabletop exercises, simulation drills, and full-scale recovery tests.

Testing should encompass various scenarios, including different types of disruptions, to assess the resilience and responsiveness of critical business services and functions.

The guidelines also emphasise the involvement of key stakeholders, including internal teams, external vendors, and regulatory authorities, in testing exercises to ensure coordination and collaboration.

OR Versus BCM Full wordNotes on OR vs. BCM: End-to-end testing based on a scenario is called Scenario Testing. It is helpful to review the difference between operational resilience and BC testing.

Related Topics New call-to-action New call-to-action  

Audit

The MAS Guidelines on BCM emphasise the importance of conducting regular audits to assess the effectiveness and adequacy of a financial institution's BCM framework.

Audits play a crucial role in verifying the implementation of BCM measures, identifying gaps or weaknesses, and recommending improvements. Financial institutions should establish an independent internal audit function or engage external auditors to conduct comprehensive audits.

These audits should cover all aspects of the BCM framework, including risk assessments, business impact analysis, recovery strategies, and documentation of policies and procedures. Audit findings and recommendations should be reported to the appropriate levels of management and the board for prompt action.

Incident and Crisis Management

Incident and crisis management is a critical component of BCM that involves effectively responding to and managing disruptions and crises when they occur.

OR Crisis Management BCMPediaThe MAS Guidelines on BCM emphasise the need for financial institutions to establish robust incident and crisis management frameworks. This includes defining roles and responsibilities, establishing communication protocols, and implementing escalation procedures.

Financial institutions should also establish incident identification, reporting, and resolution processes. Regular training and drills should be conducted to enhance staff readiness and capability to respond to incidents and crises promptly and effectively.

Responsibilities of Board and Senior Management

The MAS Guidelines on BCM highlight the crucial role of the board and senior management in ensuring the effectiveness of the BCM framework.

Financial institutions should establish a clear governance structure and assign accountability to the board and senior management for BCM.

The board and senior management are responsible for setting the strategic direction, providing oversight, and allocating adequate resources for BCM initiatives.

They should also ensure BCM policies and procedures align with the institution's risk appetite and regulatory requirements.

The board and senior management should receive regular reporting on BCM performance, including key metrics and progress against action plans.

OR Versus BCM Full word

Notes on OR Vs BCM: The challenge in implementing OR is that despite the COVID experiences, the board and most senior management are informed of the response after an event.

To achieve this requirement, the board of directors and senior management must actively oversee the organisation’s operational resilience framework concerning its strategy and risk appetite, which empowers them to make the correct investment and risk decisions.

Summing Up ...

The MAS Guidelines on Business Continuity Management provide a comprehensive framework for financial institutions in Singapore to establish effective BCM practices.

Adhering to these guidelines can enhance financial institutions' resilience and ability to respond to disruptions, thereby ensuring the continuity of critical business services. 

 

Learn more about Blended Learning OR-300 [BL-OR-3] and OR-5000 [BL-OR-5]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

BL-OR-3 Register Now BL-OR-3_Tell Me More BL-OR-3_View Schedule
BL-OR-5_Register Now BL-OR-5_Tell Me More  [BL-OR] [3-4-5] View Schedule
[BL-OR] [3] FAQ OR-300 If you have any questions, click to contact us.Email to Sales Team [BCM Institute]
FAQ BL-OR-5 OR-5000

 

Read More
ORA [Plan] Questionnaires: Develop Strategy Roadmap

ORA [Plan] Questionnaires: Develop Strategy Roadmap

New call-to-action

Develop Strategy Roadmap

OR_Plan_Update Diagram

 

What is Strategy Roadmap?

A strategy roadmap is a bridge between strategy and execution. It visualizes the critical outcomes of the operational resilience effort that must be delivered over a particular time horizon to achieve the organisation’s strategic vision.

The outcomes on the strategy roadmap are substantiated by a clear understanding of the organisation’s capabilities; gaps and priorities must be addressed.

New call-to-actionNew call-to-actionThis section is the "Plan" phase of the Operational Resilience Planning Methodology.  It is the second stage of the Plan phase: Develop Strategy Roadmap.

Audit Checklist for Develop Strategy Roadmap

 

1. Governance and Leadership

  • Is there a clear governance structure in place for the operational resilience program?
  • Are roles and responsibilities for program leadership clearly defined?
  • Is there senior management oversight and involvement in the program?
  • Are there mechanisms to escalate and resolve issues related to operational resilience?
Checklist
  • Establish a clear governance structure with defined roles and responsibilities for operational resilience.
  • Ensure senior management oversight and involvement in the program.
  • Develop policies and procedures to support effective governance and decision-making.
  • Define mechanisms for escalation and resolution of operational resilience issues.

2. Risk Assessment and Identification

  • Has a comprehensive risk assessment been conducted to identify potential operational risks?
  • Are all critical business processes and dependencies identified?
  • Have risk thresholds and impact tolerances been established?
  • Is there a process to regularly update and reassess risks and dependencies?
Checklist
  • Develop a standardized risk assessment methodology for identifying and evaluating operational risks.
  • Ensure all critical business processes, systems, and dependencies are identified.
  • Establish risk thresholds and impact tolerances to prioritize risks. d. Implement a process for regular risk monitoring and reassessment.

3. Business Impact Analysis

  • Has a business impact analysis been performed to assess the potential consequences of operational disruptions?
  • Are critical functions and processes prioritized based on their impact on the organization?
  • Are recovery time objectives (RTOs) and recovery point objectives (RPOs) defined for critical processes?
  • Has the impact of interdependencies between processes been considered?
Checklist
  • Conduct a comprehensive business impact analysis to assess the potential consequences of operational disruptions.
  • Prioritize critical functions and processes based on their impact on the organization.
  • Define recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical processes.
  • Analyze interdependencies between processes to identify potential ripple effects.

4. Strategy Development

  • Has a strategy roadmap been developed to implement the operational resilience program?
  • Are there explicit goals and objectives for the program?
  • Is the strategy aligned with the organization's overall risk management and business continuity plans?
  • Are resource requirements and budget considerations identified in the strategy?
Checklist
  • Define the vision, goals, and objectives of the operational resilience program.
  • Align the strategy with the organization's overall risk management and business continuity plans.
  • Identify resource requirements, including budget, personnel, and technology.
  • Develop a roadmap with clear milestones and timelines for implementation.

5. Incident Response and Recovery

  • Is there an incident response plan for different types of operational disruptions?
  • b. Are roles and responsibilities clearly defined in the incident response plan?
  • c. Has the plan been tested and updated regularly?
  • Is there a process for learning from incidents and improving the operational resilience program?
Checklist
  • Establish an incident response plan that outlines procedures for responding to and recovering from operational disruptions.
  • Define roles and responsibilities for incident management, including incident response teams.
  • Regularly test and update the incident response plan to ensure its effectiveness.
  • Establish mechanisms for learning from incidents and incorporating improvements into the operational resilience program.

6. Communication and Coordination

  •  Is there a communication plan to ensure effective communication during operational disruptions?
  • Are stakeholders identified and informed about the operational resilience program?
  • Is there coordination with external partners, vendors, and regulators during incidents?
  • Are there mechanisms to provide timely updates to stakeholders and manage their expectations?
Checklist
  • Define the vision and objectives of the operational resilience program.
  • Conduct a thorough assessment of the current state of operational resilience.
  • Identify key stakeholders and establish communication channels.
  • Develop a governance structure with clear roles and responsibilities.
  • Define risk assessment methodologies and criteria.
  • Perform a comprehensive risk assessment and document the findings.
  • Conduct a business impact analysis to prioritize critical functions and processes.
  • Develop recovery strategies and plans for critical processes.
  • Identify resource requirements and budget considerations.
  • Establish performance metrics and key performance indicators (KPIs) for measuring progress.
  • Develop an incident response plan with clear escalation procedures.
  • Test and validate the incident response plan through simulations and drills.
  • Develop a communication plan for internal and external stakeholders.
  • Establish mechanisms for ongoing monitoring and reporting of operational resilience.
  • Regularly review and update the strategy roadmap to incorporate lessons learned and evolving risks.

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

New call-to-action

Questionnaires and Checklist "Plan" Phase

Assess Capability and Maturity Analyse Gap

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance

New call-to-action New call-to-action OR Plan Phase Questionnaires: Analyse Gap New call-to-action New call-to-action New call-to-action

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action New call-to-action New call-to-action
New call-to-action

Please feel free to send us a note if you have any of these questions.

Email to Sales Team [BCM Institute]

New call-to-action
Read More
ORA [Plan] Questionnaires: Confirm Risk Appetite

ORA [Plan] Questionnaires: Confirm Risk Appetite

New call-to-action

Confirm Risk Appetite

OR_Plan_Update Diagram

 

What is Risk Appetite?

Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value.  The scope is further enlarged when viewed from an operational resilience perspective.

It reflects the organization’s risk management philosophy and influences its culture and operating style.

New call-to-actionNew call-to-actionThis section is the "Plan" phase of the Operational Resilience Planning Methodology.  It is the fourth stage of the Plan phase: Confirm Risk Appetite.

Audit Checklist to Confirm Risk Appetite

 

1. Risk Appetite Framework

  • Is there a documented risk appetite framework in place?
  • Have senior management, and the board approved the risk appetite framework?
  • Does the risk appetite framework align with the organization's objectives and strategy?
  • Is the risk appetite framework effectively communicated throughout the organization?
  • Are risk appetite statements measurable and specific, allowing for meaningful risk assessments?
  • Are risk appetite limits clearly defined for different types of operational risks?
  • Are risk appetite limits regularly reviewed and updated to reflect changes in the business environment?
  • Is there a mechanism to monitor and report on adherence to risk appetite limits?

Checklist

  • Review the documented risk appetite framework and ensure it is easily accessible to relevant stakeholders.
  • Verify that senior management and the board have approved the risk appetite framework.
  • Evaluate the alignment of the risk appetite framework with the organization's overall objectives and strategy.
  • Assess the effectiveness of communication channels that convey the risk appetite framework to employees.
  • Review risk appetite statements, assess whether they are measurable and specific, and facilitate meaningful risk assessments.
  • Evaluate the clarity and specificity of risk appetite limits set for different types of operational risks.
  • Confirm that risk appetite limits are regularly reviewed and updated to reflect changes in the business environment.
  • Assess the availability of mechanisms to monitor and report on adherence to risk appetite limits.

2. Risk Identification and Assessment

  • Has the organization conducted a comprehensive identification of operational risks?
  • Are risk assessments conducted regularly to identify new and emerging risks?
  • Are risk assessments based on a combination of qualitative and quantitative factors?
  • Are risk assessments conducted consistently across all relevant business areas?
  • Are risk assessments aligned with the organization's risk appetite framework?
  • Are potential impacts on critical business processes and systems considered in risk assessments?
  • Is there a process to validate and review risk assessments conducted by different business units?
  • Do appropriate data and evidence support risk assessments?
Checklist
  • Evaluate the comprehensiveness of the organization's risk identification process.
  • Review documented risk assessments and evaluate if they cover various operational risks.
  • Assess the frequency of risk assessments to determine if they are conducted regularly and reflect current risks.
  • Verify that risk assessments consider both qualitative and quantitative factors in evaluating risks.
  • Review risk assessment processes across different business areas for consistency and standardization.
  • Confirm that risk assessments are aligned with the organization's risk appetite framework.
  • Evaluate if risk assessments consider potential impacts on critical business processes and systems.
  • Assess the process for validating and reviewing risk assessments conducted by different business units.

3. Risk Tolerance and Risk Mitigation:

  • Has the organization established risk tolerance levels for different operational risks?
  • Are risk tolerance levels consistent with the risk appetite framework?
  • Are risk tolerance levels clearly defined and communicated to relevant stakeholders?
  • Is there a process to monitor and measure risks against established tolerance levels regularly?
  • Are risk mitigation strategies in place for risks exceeding the risk tolerance levels?
  • Are risk mitigation strategies aligned with the organization's risk appetite and overall strategy?
  • Are risk mitigation actions prioritized based on their potential impact on operational resilience?
  • Is there a mechanism to monitor and evaluate the effectiveness of risk mitigation measures?
Checklist
  • Verify the establishment of risk tolerance levels for different operational risks.
  • Assess the consistency of risk tolerance levels with the risk appetite framework.
  • Review the clarity and effectiveness of communication regarding risk tolerance levels to relevant stakeholders.
  • Evaluate the monitoring and measurement mechanisms to track risks against established tolerance levels.
  • Assess the effectiveness of risk mitigation strategies for risks exceeding the risk tolerance levels.
  • Confirm the alignment of risk mitigation strategies with the organization's risk appetite and overall strategy.
  • Assess the prioritization process for risk mitigation actions based on the potential impact on operational resilience.
  • Evaluate the availability of mechanisms to monitor and evaluate the effectiveness of risk mitigation measures.

4. Incident Management and Response

  • Does the organization have a documented incident management plan in place?
  • Is the plan regularly reviewed and updated to reflect changes in the business environment?
  • Are roles and responsibilities clearly defined for incident response teams?
  • Are there defined escalation procedures for different types of incidents?
  • Is there a process for identifying, assessing, and prioritizing incidents based on their potential impact?
  • Does the organization have a communication plan for notifying stakeholders about incidents?
  • Are there established metrics and thresholds for measuring the effectiveness of incident response activities?
  • Has the organization conducted post-incident reviews to identify areas for improvement?
  • Are incident response procedures aligned with the organization's risk appetite?
Checklist
  • Review the documented incident management plan and assess its alignment with the organization's risk appetite.
  • Evaluate whether the plan includes clear roles and responsibilities for incident response teams.
  • Assess the defined escalation procedures for different incidents and their alignment with risk appetite.
  • Verify the presence of a process for identifying, assessing, and prioritizing incidents based on potential impact and risk appetite.
  • Examine the communication plan for notifying stakeholders about incidents and assess its effectiveness in aligning with risk appetite.
  • Check if there are established metrics and thresholds for measuring the effectiveness of incident response activities and their alignment with risk appetite.
  • Evaluate whether the organization conducts post-incident reviews to identify areas for improvement and ensure they align with risk appetite.
  • Assess the alignment of incident response procedures with the organization's risk appetite.

5. Business Continuity Planning

  • Has the organization conducted a business impact analysis to identify critical business functions and their dependencies?
  • Are there documented business continuity plans in place for critical functions?
  • Have the plans been tested and validated to ensure their effectiveness?
  • Are there defined recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical business functions?
  • e. Is there a process for regularly reviewing and updating the business continuity plans?
  • Are employees aware of their roles and responsibilities during business disruption?
  • Has the organization identified alternative work locations or facilities in case of a site failure?
  • Are there established communication channels and procedures for coordinating the execution of business continuity plans?
  • Are business continuity plans aligned with the organization's risk appetite?
Checklist
  • Review the business impact analysis to identify critical business functions and their dependencies.
  • Assess the presence and effectiveness of documented business continuity plans for critical functions.
  • Verify if the plans have been tested and validated to ensure their effectiveness aligns with risk appetite.
  • Evaluate the definition of recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical business functions and their alignment with risk appetite.
  • Assess the process for regularly reviewing and updating the business continuity plans to ensure they align with risk appetite.
  • Evaluate the awareness among employees regarding their roles and responsibilities in the event of business disruption and their alignment with risk appetite.
  • Verify the identification of alternative work locations or facilities in case of site failure and their alignment with risk appetite.
  • Assess the communication channels and procedures for coordinating the execution of business continuity plans and their alignment with risk appetite.
  • Evaluate the alignment of business continuity plans with the organization's risk appetite.

5. Testing and Exercising

  • Has the organization conducted regular testing and exercising of its operational resilience plans?
  • Are different scenarios and incidents considered during testing, including worst-case scenarios?
  • Is there a process for capturing and documenting lessons learned from testing exercises?
  • Are test results and findings communicated to relevant stakeholders for review and remediation?
  • Are there established criteria for evaluating the effectiveness of testing exercises?
  • Based on testing results, has the organization addressed any identified deficiencies or gaps in the operational resilience plans?
  • Are testing and exercising activities aligned with the organization's risk appetite?
Checklist
  • Assess whether the organization conducts regular testing and exercising its operational resilience plans.
  • Evaluate if different scenarios and incidents, including worst-case scenarios, are considered during testing in alignment with risk appetite.
  • Verify the presence of a process for capturing and documenting lessons learned from testing exercises and their alignment with risk appetite.
  • Assess the communication of test results and findings to relevant stakeholders for review and remediation, aligning with risk appetite.
  • Verify the existence of established criteria for evaluating the effectiveness of testing exercises and their alignment with risk appetite.
  • Evaluate if the organization addresses identified deficiencies or gaps in operational resilience plans based on testing results and risk appetite.
  • Assess the alignment of testing and exercising activities with the organization's risk appetite.

6. Governance and Oversight

  • Does the organization have a designated governance body responsible for overseeing operational resilience?
  • Are governance responsibilities and decision-making authorities clearly defined?
  • Does governance regularly assess the organization's operational resilience strategy and plans?
  • Is there a process for monitoring and reporting operational resilience metrics and key performance indicators (KPIs)?
  • Are there mechanisms to ensure compliance with applicable laws, regulations, and industry standards?
  • Does the organization have a risk appetite statement that includes operational resilience?
  • Are risk appetite thresholds and tolerances clearly defined for operational resilience? h
  • Is there a process for regularly reviewing and updating the risk appetite statement?
  • Are governance and oversight activities aligned with the organization's risk appetite?
Checklist
  • Assess the presence of a designated governance body responsible for overseeing operational resilience.
  • Evaluate if governance responsibilities and decision-making authorities are clearly defined and align with risk appetite.
  • Review the regular review and assessment process for the organization's operational resilience strategy and plans, aligning with risk appetite.
  • Assess the process for monitoring and reporting operational resilience metrics and key performance indicators (KPIs) in alignment with risk appetite.
  • Verify the mechanisms to ensure compliance with applicable laws, regulations, and industry standards, aligning with risk appetite.
  • Evaluate the presence and alignment of a risk appetite statement that includes operational resilience.
  • Assess the clarity and regular review process of risk appetite thresholds and tolerances for operational resilience.
  • Evaluate the overall alignment of governance and oversight activities with the organization's risk appetite.

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

New call-to-action

Questionnaires and Checklist "Plan" Phase

Assess Capability and Maturity Analyse Gap

Develop Strategy Roadmap

Confirm Risk Appetite

Develop and Embed Governance

New call-to-action New call-to-action OR Plan Phase Questionnaires: Analyse Gap New call-to-action New call-to-action New call-to-action

Find out more about Blended Learning ORA-5000 [BL-ORA-5] & ORA-300 [BL-ORA-3]

New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action New call-to-action New call-to-action
New call-to-action

Please feel free to send us a note if you have any of these questions.

Email to Sales Team [BCM Institute]

New call-to-action
Read More
ORA [Sustain] Questionnaires: Conduct and Provide Self-assessments

ORA [Sustain] Questionnaires: Conduct and Provide Self-assessments

New call-to-action

Provide Self-assessments

New call-to-action

What is Self-assessment?

Self-Assessment in Operational Resilience ensures that the regulated organisation captures and documents the steps taken towards operational resilience and provides a comprehensive and objective evaluation of the organisation's strategy and overall ability to respond to disruptions.

New call-to-actionOR Sustain Phase Questionnaires: Provide Self-assessmentsThis section is the "Sustain" phase of the Operational Resilience Planning Methodology.  It is the fourth stage of the Sustain phase: Provide Self-assessment.

 

Audit Checklist for Provide Self-assessments

 

1. Documentation and Policies

  • Are operational resilience policies and procedures well-documented and readily accessible?
  • Are the policies and procedures aligned with industry best practices and regulatory requirements?
  • Do the documented policies clearly define roles, responsibilities, and accountability for operational resilience?
  • Is there evidence of regular reviews and updates to the operational resilience documentation?
Checklist
  • Review the documentation of operational resilience policies and procedures.
  • Assess the alignment of policies with industry best practices and regulations.
  • Evaluate the clarity and completeness of roles, responsibilities, and accountability definitions.
  • Verify the existence of a process for regular reviews and updates to the documentation.

2. Risk Assessment and Analysis

  • Has a comprehensive risk assessment been conducted to identify and assess potential risks?
  • Are risks prioritized based on their potential impact and likelihood?
  • Are mitigation strategies and controls in place to address identified risks?
  • Is there a process for regularly monitoring and updating risk assessments?
Checklist
  • Evaluate the documentation of the risk assessment process.
  • Assess the comprehensiveness of the risk assessment, including identification and assessment of risks.
  • Verify the prioritization of risks based on impact and likelihood.
  • Review the documented mitigation strategies and controls.
  • Determine if there is a process for regularly monitoring and updating risk assessments

3. Business Impact Analysis (BIA)

  • OR Implement Phase Questionnaires: Identify Critical Business ServicesHas a thorough business impact analysis (BIA) been conducted to identify critical processes and systems?
  • Have the potential impacts of disruptions to critical processes and systems been assessed?
  • Are recovery time objectives (RTOs) and recovery point objectives (RPOs) defined for critical processes?
  • Are mitigation strategies and plans in place to ensure the timely recovery of critical processes?
Checklist
  • Review the business impact analysis (BIA) process documentation.
  • Evaluate the completeness and accuracy of the identification of critical processes and systems.
  • Assess the thoroughness of the assessment of potential impacts.
  • Verify the definition of recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical processes.
  • Review the mitigation strategies and plans to ensure timely recovery.

4. Training and Awareness

  • OR [Sustain] Questionnaires:  Implement Training and AwarenessIs there a training program in place to educate employees on operational resilience?
  • Are employees aware of their roles and responsibilities regarding operational resilience?
  • Are there mechanisms to track and monitor employee completion of operational resilience training?
  • Are there regular communication and awareness campaigns to promote a culture of operational resilience?
Checklist
  • Review the training program documentation for operational resilience.
  • Evaluate the effectiveness of the training in educating employees.
  • Assess the mechanisms in place to track and monitor employee completion of training.
  • Verify the existence of regular communication and awareness campaigns.
  • Determine the extent of the culture of operational resilience within the organization.

5. Testing and Exercise Evaluation

  • Conduct Scenario TestingHave operational resilience plans and procedures been tested through exercises and simulations?
  • Is there a documented schedule for testing and exercising operational resilience capabilities?
  • Are different scenarios and levels of disruptions considered during testing?
  • Are testing results analyzed to identify areas for improvement and corrective actions?
  • Are there mechanisms to track and follow up on implementing corrective actions identified during testing?
Checklist
  • Review the operational resilience testing and exercise plan documentation. 
  • Evaluate the adequacy of the testing schedule and the consideration of various scenarios.
  • Assess the testing results analysis to identify improvement areas.
  • Determine if lessons learned from testing and exercises are documented and incorporated into improvements.

5. Incident Response Evaluation

  • Is there an incident response plan for operational resilience incidents?
  • Has the incident response plan been tested and validated?
  • Are roles, responsibilities, and communication channels clearly defined within the incident response plan?
  • Is there a designated incident response team and a straightforward escalation process?
  • Is there a process for post-incident analysis and continuous improvement of the incident response capabilities?
Checklist
  • Review the incident response plan documentation for operational resilience incidents.
  • Evaluate the testing and validation activities conducted on the incident response plan.
  • Assess the clarity and accuracy of roles, responsibilities, and communication channels.
  • Verify the incident response team's existence and composition and escalation process.
  • Determine if there is a process for post-incident analysis and continuous improvement.

5. Continuous Improvement

  • New call-to-actionIs there a process in place to monitor and review the effectiveness of the operational resilience program?
  • Are lessons learned from incidents, tests, and exercises incorporated into improvements?
  • Is there a mechanism to capture and address feedback and suggestions for operational resilience?
  • Are there metrics and performance indicators to measure the effectiveness of the operational resilience program?
  • Is there a culture of continuous improvement and learning within the organization?
Checklist
  • Evaluate the process for monitoring and reviewing the effectiveness of the operational resilience program.
  • Assess the incorporation of lessons learned from incidents, tests, and exercises into improvements.
  • Verify the existence of a mechanism to capture and address feedback and suggestions.
  • Review the metrics and performance indicators for measuring program effectiveness.
  • Determine the extent of the organization's continuous improvement and learning culture.

Do note that some steps may overlap or appear similar in the other stages of the OR planning phases.  If this occurs, the questionnaires and checklists must be contextualised to the topic under review.

New call-to-action

Questionnaires and Checklist "Sustain" Phase

Introduce Cultural Change Develop Communication Strategy

Implement Training and Awareness

Provide Self-assessment

Conduct Independent Quality Review

New call-to-action New call-to-action OR Sustain Phase Questionnaires: Develop  Communication Strategy OR [Sustain] Questionnaires:  Implement Training and Awareness OR Sustain Phase Questionnaires: Provide Self-assessments OR Sustain Phase Questionnaires: Conduct Independent Quality Reviews

More Information About Blended Learning Operational Resilience Audit (ORA) Courses

BCM Institute offers two levels of OR auditing courses: ORA-3 Blended Learning ORA-300 Operational Resilience Audit Specialist and the ORA-5 Blended Learning ORA-5000 Operational Resilience Audit Expert.

New call-to-action New call-to-action New call-to-action
New call-to-action Tell Me More About BCM- 8030 New Call-to-action
New call-to-action Email to Sales Team [BCM Institute] Operational Resilience Audit Specialist (ORAS) Certification
New call-to-action Please feel free to send us a note if you have any questions. New call-to-action
 
 
Read More